LCOV - code coverage report
Current view: top level - tls - s2n_client_hello_request.c (source / functions) Hit Total Coverage
Test: unit_test_coverage.info Lines: 28 28 100.0 %
Date: 2025-08-15 07:28:39 Functions: 2 2 100.0 %
Branches: 24 38 63.2 % 

           Branch data     Line data    Source code
       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #include "api/s2n.h"
      17                 :            : #include "tls/s2n_alerts.h"
      18                 :            : #include "tls/s2n_connection.h"
      19                 :            : #include "utils/s2n_safety.h"
      20                 :            : 
      21                 :            : S2N_RESULT s2n_client_hello_request_validate(struct s2n_connection *conn)
      22                 :        782 : {
      23 [ -  + ][ #  # ]:        782 :     RESULT_ENSURE_REF(conn);
      24         [ +  + ]:        782 :     if (IS_NEGOTIATED(conn)) {
      25 [ +  + ][ +  - ]:        677 :         RESULT_ENSURE(conn->actual_protocol_version < S2N_TLS13, S2N_ERR_BAD_MESSAGE);
      26                 :        677 :     }
      27                 :            : 
      28                 :            :     /*
      29                 :            :      *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.1
      30                 :            :      *# The HelloRequest message MAY be sent by the server at any time.
      31                 :            :      */
      32 [ +  - ][ +  + ]:        779 :     RESULT_ENSURE(conn->mode == S2N_CLIENT, S2N_ERR_BAD_MESSAGE);
      33                 :            : 
      34                 :        757 :     return S2N_RESULT_OK;
      35                 :        779 : }
      36                 :            : 
      37                 :            : S2N_RESULT s2n_client_hello_request_recv(struct s2n_connection *conn)
      38                 :         80 : {
      39 [ #  # ][ -  + ]:         80 :     RESULT_ENSURE_REF(conn);
      40 [ #  # ][ -  + ]:         80 :     RESULT_ENSURE_REF(conn->config);
      41         [ -  + ]:         80 :     RESULT_GUARD(s2n_client_hello_request_validate(conn));
      42                 :            : 
      43                 :            :     /* Maintain the old s2n-tls behavior by default.
      44                 :            :      * Traditionally, s2n-tls has just ignored all hello requests.
      45                 :            :      */
      46         [ +  + ]:         80 :     if (!conn->config->renegotiate_request_cb) {
      47                 :          3 :         return S2N_RESULT_OK;
      48                 :          3 :     }
      49                 :            : 
      50                 :            :     /*
      51                 :            :      *= https://www.rfc-editor.org/rfc/rfc5746#section-4.2
      52                 :            :      *# This text applies if the connection's "secure_renegotiation" flag is
      53                 :            :      *# set to FALSE.
      54                 :            :      *#
      55                 :            :      *# It is possible that un-upgraded servers will request that the client
      56                 :            :      *# renegotiate.  It is RECOMMENDED that clients refuse this
      57                 :            :      *# renegotiation request.  Clients that do so MUST respond to such
      58                 :            :      *# requests with a "no_renegotiation" alert (RFC 5246 requires this
      59                 :            :      *# alert to be at the "warning" level).  It is possible that the
      60                 :            :      *# apparently un-upgraded server is in fact an attacker who is then
      61                 :            :      *# allowing the client to renegotiate with a different, legitimate,
      62                 :            :      *# upgraded server.
      63                 :            :      */
      64         [ +  + ]:         77 :     if (!conn->secure_renegotiation) {
      65         [ -  + ]:          1 :         RESULT_GUARD(s2n_queue_reader_no_renegotiation_alert(conn));
      66                 :          1 :         return S2N_RESULT_OK;
      67                 :          1 :     }
      68                 :            : 
      69                 :         76 :     s2n_renegotiate_response response = S2N_RENEGOTIATE_REJECT;
      70                 :         76 :     int result = conn->config->renegotiate_request_cb(conn, conn->config->renegotiate_request_ctx, &response);
      71 [ +  + ][ +  - ]:         76 :     RESULT_ENSURE(result == S2N_SUCCESS, S2N_ERR_CANCELLED);
      72                 :            : 
      73                 :            :     /*
      74                 :            :      *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.1
      75                 :            :      *# This message MAY be ignored by
      76                 :            :      *# the client if it does not wish to renegotiate a session, or the
      77                 :            :      *# client may, if it wishes, respond with a no_renegotiation alert.
      78                 :            :      */
      79         [ +  + ]:         75 :     if (response == S2N_RENEGOTIATE_REJECT) {
      80         [ +  + ]:          2 :         RESULT_GUARD(s2n_queue_reader_no_renegotiation_alert(conn));
      81                 :          1 :         return S2N_RESULT_OK;
      82                 :          2 :     }
      83                 :            : 
      84                 :         73 :     return S2N_RESULT_OK;
      85                 :         75 : }

Generated by: LCOV version 1.14